Nexus Intelligence Insights Sonatype-2017-0312: jackson-databind, The End of the Blacklist

For our October Nexus Intelligence Insight we will return to a very popular component that has been both a blessing and a curse to developers around the world. We’ll cover a fundamental change to a default setting and how that change in ‘type’ may impact the security of your next open source project. 

Before you read this post, you may want to review the ongoing issue with jackson-databind and Sonatype’s remediation guidance as a result.

Name of Vulnerability:  Sonatype-2017-0312

Associated CVEs: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, sonatype-2019-0371, and CVE-2019-16335. 

Type of Vulnerability: Deserialization leading to Remote Code Execution (RCE)

Component Name: `com.fasterxml.jackson.core:jackson-databind`

Versions Affected: (2.10.0)

Criticality/CVSS Metrics: 8.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Description:

For those who’d prefer a summary, the attack vector for this vulnerable component lies in the deserialization of untrusted data from improperly validated objects being provided as an input to an application. Should an attacker be able to influence the serialized object data and inject malicious code or logic into it, that code could wreak havoc in the application environment upon deserialization – from seemingly benign crashes to remote code execution to a total system compromise.

As mentioned in the previous post, Databind addressed the multiple deserialization vulnerabilities by using a “blacklist” approach, meaning the objects of restricted subtypes were not to be processed by the component for deserialization. 

Blacklist approach:

The String-Set “s” maintains a list of “nasty classes” which are known to cause security issues and are restricted from being deserialized.

Blacklist approach JDB

Incomplete fix which further added “more classes” to the same blacklist:Incomplete fix JBD

Consequently, the Sonatype data research team concluded all such “fixes” as partial or incomplete. 

To reduce the scan noise for our (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Elisa Velarde. Read the original post at: https://blog.sonatype.com/jackson-databind-the-end-of-the-blacklist